One-sided Device-Independent Quantum Key Distribution: 
Security, feasibility, and the connection with steering 
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We analyze the security and feasibihty of a protocol for Quantum Key Distribution (QKD), in a context where 
only one of the two parties trusts his measurement apparatus. This scenario lies naturally between standard 
QKD, where both parties trust their measurement apparatuses, and Device-Independent QKD (DI-QKD), where 
neither does, and can be a natural assumption in some practical situations. We show that the requirements 
for obtaining secure keys are much easier to meet than for DI-QKD, which opens promising experimental 
opportunities. We clarify the link between the security of this one-sided DI-QKD scenario and the demonstration 
of quantum steering, in analogy to the link between DI-QKD and the violation of Bell inequalities. 
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PACS numbers: 03.67.Dd, 03.65.Ud, 03.67.Mn 

Quantum Key Distribution (QKD) allows two parties (Al- 
ice and Bob) to establish secret keys at a distance, with se- 
curity guaranteed by the laws of Quantum Mechanics E]]. In 
standard QKD (S-QKD), the security is typically proved un- 
der the assumption that Alice and Bob can trust the physi- 
cal functioning of their preparation and measurement appa- 
ratuses. For instance, standard security proofs for the BB84 
protocol 101 assume that Alice sends qubits to Bob, prepared 
in some eigenstates of the cr^ or Pauli operators, and that 
Bob measures them in one of those two bases. Recent demon- 
strations of hacking of the devices has shown the importance 
and weakness of this assumption Moreover, since QKD 
is becoming commercially available, Alice and Bob may end 
up buying their devices from untrusted providers. 

Remarkably, there are ways to guarantee security with 
fewer assumptions. The minimal set of assumptions is the one 
used in Device-Independent QKD (DI-QKD) H H]. There, 
Alice and Bob can certify the security of QKD based only on 
the observed violation of Bell inequalities the measure- 
ment apparatuses are untrusted black boxes, with a knob sup- 
posedly related to the measurement settings. Alice and Bob 
have only to trust the random number generator with which 
they vary the positions of the knob, and of course the in- 
tegrity of their locations. While the qualitative understanding 
"Bell violation implies security" is certainly true, the deriva- 
tion of quantitative security bounds is challenging. The most 
recent results report on security against the most general at- 
tacks ("coherent attacks") under the assumption that previous 
measurements do not feed any information forward to subse- 
quent ones 10, Hh (or, to put it simply: that the devices are 
memoryless). In addition to these (hopefully temporary) lim- 
itations of the theoretical studies, DI-QKD imposes very de- 
manding requirements on practical demonstrations. In par- 
ticular, the Bell test would need to close the detection loop- 
hole ISl], which requires very high detection efficiencies llOll . 



Intermediate scenarios between S-QKD and DI-QKD re- 
quire less trust than the former and will be easier to implement 
than the latter 111 ill . Imagine for instance that a bank wants to 
establish secret keys with its clients; the bank could invest a 
lot of money to establish one trustworthy measurement de- 
vice, but the clients at the other end of the channel would cer- 
tainly get cheap (and insecure) detection terminals. This leads 
us to study one-sided TA-QKH (IsDI-QKD): we consider an 
entanglement-based scenario in which Bob's measurement 
apparatus is trusted, while Alice's is not. In the entanglement- 
based setup the source is also untrusted, although we will also 
discuss prepare-and-measure (P&M) implementations where 
the source is trusted. We present a security bound against co- 
herent attacks with similar assumptions as in Refs. flUtlj in 
particular that the devices are memoryless, as this enables the 
strongest security analysis presently available. Focusing on 
practical implementations, we show that the detector efficien- 
cies required for a practical implementation of IsDI-QKD are 
much lower than for DI-QKD, making it feasible with exist- 
ing devices. Before that, let us start by stressing a link with a 
hierarchy of tests of quantum nonlocality HT 



QKD and quantum nonlocality. — It is known that no se- 
cret key can be extracted in a QKD experiment if the chan- 
nel between Alice and Bob is entanglement-breaking 113 1. 
Hence, in order to demonstrate security, one must show that 
the channel preserves entanglement. The three different as- 
sumptions on Alice's and Bob's devices mentioned above cor- 
respond naturally to three different criteria for quantum non- 
locality mi (see Figure □: S-QKD or DI-QKD require the 
observed correlations to violate a separability criterion or a 
Bell inequality respectively; IsDI-QKD requires the correla- 
tions to violate an EPR-steering inequality as defined in 114 j. 
That is, if one imagines that Bob's system has a definite (al- 
beit unknown to him) quantum state, the protocol must prove 
that Alice, by her choice of measurement, can affect this state. 



2 



(i) 



(ii) 



(Hi) 



S-QKD 
Entanglement 



1sDI-QKD 



EPR-steering 



DI-QKD 

Bell nonlocality 



a RNG 

4 ^ 



RNG 





FIG. 1 : Link between the three concepts of quantum nonlocality as 
classified in 03] and the three scenarios of S-QKD, IsDI-QKD (this 
paper) and DI-QKD. In order to obtain a secret key, (i) if Alice and 
Bob trust their measurement devices (transparent boxes), then they 
must necessarily demonstrate entanglement; (it) if Alice's measure- 
ment device is untrusted (black box), while Bob's is trusted, then Al- 
ice must demonstrate steering of Bob's state; {Hi} if both Alice's and 
Bob's measurement devices are untrusted, then they must demon- 
strate Bell-nonlocality. In all cases, Alice and Bob must trust their 
random number generator (RNG), and the integrity of their location. 



This sort of nonlocality, first discussed by Einstein, Podolsky 
and Rosen ifisll , was called 'steering' by Schrodinger fl^ . In 
Ref. lfl2ll these concepts of nonlocality arose from considering 
entanglement verification with untrusted parties. However, 
even if Alice and Bob trust each other, as in QKD, they may 
not trust their devices, which is an analogous situation. From 
this perspective, our scenario of IsDI-QKD can thus be seen 
as a practical application of the concept of quantum steering. 

A IsDI-QKD protocol. — We consider the following IsDI 
version of the BBM92 entanglement-based protocol llTIl : Al- 
ice and Bob receive some (typically, photonic) quantum sys- 
tems from an external source. Alice can choose between two 
binary measurements, Ai and A2; since she does not trust her 
measurement device, she treats it as a black box with two pos- 
sible settings, yielding each time one of two possible outputs. 
Bob, on the other hand, trusts his device to make projective 
measurements Bi or B2 in some qubit subspace, typically 
corresponding to the operators Uz and respectively. Af- 
ter publicly announcing which measurements they chose for 
each system, Alice and Bob will try to extract a secret key 
from the conclusive results of the measurements Ai and Bi, 
as explained below, the results of measurements A2 and B2 
will allow them to estimate Eve's information. 

Alice and Bob might not always detect the photons sent by 
the source, because of losses or inefficient detectors. Since 
Bob trusts his detectors, he trusts that Eve cannot control his 
detections. Also, Eve cannot get any useful information from 
Bob's (null) result if the photons going to him are lost or if 
she keeps them. Cases where Bob gets ambiguous results 
(e.g. double clicks) can be dealt with using the techniques of 
Ref. |18]-see Supplemental Material lfl9ll for details. Hence, 
we can safely consider only the cases where Bob gets detec- 



tions. On the other hand, since Alice's measurement device is 
untrusted. Eve could control whether her detectors click de- 
pending on the state she receives and on her choice of mea- 
surement setting. We can therefore not simply discard Al- 
ice's no-detection events. In case her detectors don't click, 
she records a bit value of her choice as the result of her mea- 
surement, keeps track of the fact that her detectors did not 
click, and tells Bob (so that they can later post-select the raw 
key on Alice's detections); Eve has access to that information. 

We denote by Ai and Bi the strings of classical bits Al- 
ice and Bob get from measurements Ai and Bi (and where 
Bob got a detection, as discussed above). Among the bits of 
Ai, some correspond to actual detections by Alice, and some, 
corresponding to non-detections, were simply chosen by Al- 
ice herself. Everyone knows which ones are which. The de- 
tected bits form a string A^ (they'll be post-selectedhy Alice 
and Bob), while those that were not actually detected form a 
string Af"^ (they'll be discarded for the key extraction), so 
that v4i = (A^'^jAf"'). Bob's corresponding bit strings are 
Bf' and Bf^ resp., so that Bi = (Bf , We denote 

by N the length of the strings Ai and Bi, and by n that of the 
strings A^^ and Bf''. 

Security proof and key rate. — Recently, Tomamichel and 
Renner 12011 . together also with Lim and Gisin 12211 have de- 
veloped an approach to QKD based on an uncertainty rela- 
tion for smooth entropies, which enables one to prove security 
against coherent attacks in precisely this IsDI-QKD scenario; 
note however that one also needs (a& in 10, Si) the assumption 
that the devices are memoryless 12311 . To prove the security 
of our protocol in realistic implementations, we extend their 
analysis by considering imperfect detection efficiencies HJl. 

From the ?i-bit strings A^^ and Bf'', on which Eve may 
have some (possibly quantum) information E, Alice and Bob 
can extract, through classical error correction and privacy am- 
plification (from Bob to Alice), a secret key of length n25n 
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Here H^-^^{Bf^\E) denotes the smooth min-entropy ll26ll of 
Bf'', conditioned on quantum side information E; h is the bi- 
nary entropy function: h{Q) = — Qlogj Q — (1 — Q) log2(l — 
Q); and Q^^ is the bit error rate between A^^ and Bf^. 

To bound H^;„(B^''\E), we will use the uncertainty rela- 
tion introduced in 12011 . which bounds Eve's information on 
Bi given Alice's information on the incompatible observable 
B2. However, we need to use the full strings Bi , B2, as post- 
selection may lead to an apparent violation of the uncertainty 
relation. Using the chain rule 12511 and the data-processing in- 
equality 12711 for smooth min-entropies, we first bound Eve's 
information on Bf' relative to her information on Bi : 
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Now, consider a hypothetical run of the protocol where the 
bits of Ai and Bi would be measured in the second basis; we 
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denote by A2 and the corresponding hypothetical strings. 
From the generaHzed uncertainty relation of i20ll . one has 



ni,^(B,\E) > qN - h:,,,^{b.2\A2) 



(5) 



where g is a measure of how distinct Bob's two measure- 
ments are; for orthogonal qubit measurements, q = 1. Here, 
^max(-^2|^2) IS the smooth max-entr opv p.m of B2, condi- 
tioned on A2. It satisfies the following 122 1 



h:^,^{B2\A2) < Nh{Q2)., 



(6) 



where Q2 is the bit error rate between A2 and B2- Now, since 
the choice of basis was made randomly, Q2 is the same as 
the bit error rate observed — without post-selection — when the 
second basis was actually chosen (no matter how rarely) by 
both Alice and Bob. 

Substituting Q, Q and ^ in Eq. we obtain 



£ > 



[1 - /l(gf )] - N [h{Q2) + i-q] 



(7) 



In the asymptotic limit of infinite key len gths , the above ap 



proximate inequality becomes exact 11211 12211 . The fraction 



n/N of photons which Alice detects, given that Bob detected 
one, will be denoted ry^. This allows us to write the secret key 
rate r = t/N (the number of secret bits obtained per photon 
detected by Bob, measured in the first basis), as 



r > va[1 - HQf)] - h{Q2) - {I - q) . 



(8) 



Relation to EPR-steering. — As we recalled before, the se- 
cret key rate above can only be positive if Alice and Bob can 
check that they share entanglement. In our IsDI scenario, this 
amounts to demonstrating quantum steering. Hence, the in- 
equality 77^1 [1 — — /i(Q2) — Q_— 9) < can be under- 
stood as an EPR-steering inequality lll4ll . In the Supplemental 
Material lll9ll . we give a more direct proof of this claim, start- 
ing from the so-called Local Hidden State model 11211 . 

Experimental prospects. — We now turn to the feasibil- 
ity analysis. Consider a typical experimental setup, where 
a source sends maximally entangled 2-qubit states to Ahce 
and Bob, through a depolarizing channel with visibility V, 
and where, as in the BBM92 protocol, Ai = Bi = and 
^2 = -S2 = CTj;, with Alice's detection efficiency being r\A as 
above. (We emphasize that this is simply a model for Alice's 
measurements, which are implemented in a black box.) 

The secret key rate that Alice and Bob can extract is then 
bounded by ([SI), with q=\ and 



)f = (i-y)/2, 



Q2 = (l-77^y)/2. 



Figure|2]shows the values of the bound (O as a function of tia, 
and for different values of V . For a perfect visibility V = 1, 
one gets a positive secret key rate for all t/a > 65.9%. 

This detection probability threshold is much lower than 
those required for DI-QKD. For instance, if Alice and Bob 
have the same detection efficiency t], then they require rj > 
94.6% for the protocol studied in |7]], when they extract their 
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FIG. 2: Solid curves: bounds ^ on the secret key rate r in a typi- 
cal implementation of IsDI-QKD, as a function of Alice's detection 
efficiency rjA, for visibilities V = 1, 0.99, 0.98, 0.95 (from top to 
bottom) and q = 1. Dashed curve: for comparison, bounds (for 
V — 1) for DI-QKD, obtained by adapting the security analysis of 
Ref. 0], when Bob has the same detection efficiency -qs = tja as 
Alice (see Supplemental Material fl^ ). 



key from the non-post-selected data. If the key is extracted 
from the post-selected data (as we considered here for IsDI- 
QKD), the threshold remains quite high, r/ > 91.1% (see 
Figure 12] and Supplemental Material lll9ll ). The much lower 
efficiency threshold for IsDI-QKD compared with DI-QKD 
is related to the fact that it is much easier to close the de- 
tection loophole in a steering experiment 1 28 -33] than in a 



Bell test, for which there are no photonic detection-loophole 
free demonstrations to date. Heralding efficiencies of ~ 62% 
have recently been reported Isoll . in an experiment demon- 
strating detection-loophole-free quantum steering; our IsDI- 
QKD protocol could be demonstrated with a very similar (but 
slightly improved) experimental setup. 

Note also that in the IsDI-QKD case, the losses between the 
source and Bob's lab do not affect the security of the protocol; 
they only decrease the key rate proportionally to the decrease 
of Bob's detection rate (as long as the noise in Bob's detectors 
does not become prominent). Hence, long distances can in 
principle be reached if the source stays close to Alice; this is 
in contrast to the fully DI-QKD case, where the limit on the 
detection efficiencies imposes a limit on the allowed distance 
between Alice and Bob (although some proposals have been 
suggested to overcome this problem l3ll - l33ll ). 

Comparison of different scenarios. — Key rate bounds for 
entanglement-based QKD also apply to P&M schemes, as 
long as the preparation device can be trusted to produce a 
certain average state independent of Alice's (or Bob's, as the 
case may be) choice of preparation basis (e.g. the completely 
mixed state, regardless of whether cr^ or az is the chosen ba- 
sis). A preparation device with this property can be envis- 
aged as a trusted entanglement source situated in Alice's (or 
Bob's) laboratory, with a trusted channel between it and the 
local detector In this picture it still makes sense to consider 
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the case where the local "hypothetical" detector is untrusted, 
as this is equivalent to saying that we cannot trust the prepa- 
ration device to prepare the desired state. Here the efficiency 
(which we will denote as if) of the hypothetical detector mod- 
els the probability that the preparation device registers to the 
sender which of the two states (in the chosen basis) was sent. 
For a well-functioning device this can be close to unity; even 
if the preparation does use a probabilistic photon-pair source 
and a detector, the sender can generate many pairs within the 
time window for each system, and switch out the system (one 
photon, ideally) only when its preparation is heralded by the 
detection of the other A greater experimental challenge is 
the loss of the heralded photon (within the sender's lab or en 
mute), which must be factored into the receiver's efficiency. 

Considering all non-trivial permutations of device trust- 
worthiness, there are eight P&M scenarios, and four genuine 
entanglement-based scenarios, whose security can be anal- 
ysed using the methods of Refs. ll20ll or |01. We remove 
mirror-image scenarios by keeping only the version which is 
better (or equally good) under the assumption of the privacy 
amplification being from Bob to Alice, as shown in Table U 
Note that P&M by Bob with a fully trusted preparation device 
(row 3) does not improve the threshold efficiency required 
for Alice's untrusted detector, as compared to steering-based 
IsDI-QKD with an untrusted entanglement source (row 6). 

Conclusion. — We have introduced the scenario of IsDI- 
QKD and analyzed its security against coherent attacks in 
a practical situation where losses are taken into account. 
Our analysis shows that the assumptions of IsDI-QKD allow 
one to significantly lower the necessary detection efficiencies 
compared to fully DI-QKD, and that the requirements for ob- 
taining secure key rates in an experiment are within the range 
of current technology. 

We have also stressed that IsDI-QKD requires the violation 
of an EPR-steering inequality, in analogy with the require- 
ment of violation of a Bell inequality for security of DI-QKD. 
The relation between the QKD hierarchy and the nonlocality 
hierarchy introduces some open questions: (i) It has recently 
been shown that steering can be demonstrated with arbitrarily 
low efficiencies [283. Can one find (and prove the security of) 
IsDI-QKD protocols that would also tolerate arbitrarily low 
efficiencies? (ii) With 2 measurement settings per party, steer- 
ing can be demonstrated for efficiencies r/A > 50% lEsilsoll . 
There is a large gap between this and the threshold of ^ 66% 
for our IsDI-QKD protocol. The same situation occurs for 
fully DI-QKD, where there is also a gap between the thresh- 
old of ?7 > 82.8% for a violation of the CHSH inequality H 
and that for the security of DI-QKD. How small can these be 
made in general? Another topic for further research is to ex- 
tend our results to finite keys, for instance along the lines of 
Ref. m. 
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TABLE I: Best known bounds on secret key rates for QKD (secure 
against coherent attacks) with privacy amplification from Bob to Al- 
ice and memoryless devices, both P&M and entanglement-based. 
The second column tells which of the components — Alice's detec- 
tors (AD), the source (S), Bob's detector (BD) and each of the chan- 
nels (C) between the source and the detectors — are trusted (T) or 
untrusted (U). Thick vertical lines in each row separate Alice's lab, 
the channel open to Eve, and Bob's lab. In the P&M cases, the de- 
tector plus source in a lab is a formal model for a preparation device; 
the efficiency 77* in these cases models the probability that the prepa- 
ration device registers which state is prepared, and would typically 
be close to unity (for details see text). In column three, the bounds 
on key rates (here, per photon pair produced by the source, i.e. per 
preparation event in the P&M cases) are given in terms of the func- 
tions ra{Ql\Qf) = r/sr/Afl - KQf) - h{Qf)\ from S-QKD, 
ri{QT,Q2) = r]B{riA[l - KQf)] - /^(Qa)} from Eg. {jl . and 
r2{QT,S) = nAMl -MQT)\ ~ log2 [l + v/2 - (5/2)2] (^ee 
Supplemental Material 111]). Here S is the value of the CHSH poly- 
nomial (U, while Qi and Q2 are bit error rates. The superscript ps 
means post-selection on coincident detections; Q2 in ri{Q\^ , Q2) is 
post-selected on Bob's detections, but not on Alice's; 5* must be esti- 
mated from the whole non-postselected data. The Efficiency Thresh- 
olds (column four) are calculated with everything else perfect. In row 
4, we assumed r/|; — > 1 (the threshold we quote is therefore a lower 
bound on the thresholds for rj*g < 1), while in row 7, rjA ~ Vb = V- 



Note added. — While finishin g w riting this manuscript, we 
became aware of a related work 13511 where similar bounds on 
the detection efficiency thresholds are derived. 
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Practical detectors and multiple counts. — In practical im- 
plementations with photons, Bob's detector comprises two 
photon counters, corresponding to his two possible outputs. 
Because of dark counts or imperfect state preparation (i.e. the 
presence of multi-photon states) there will be rare occasions 
where both counters click. In such cases, our protocol requires 
Bob to output a random result. This is a standard way to treat 
double clicks in the context of QKD ISlll . When Bob imple- 
ments the (Jz or <Tx measurements, his detection scheme has 
a "squashing property" that should allow one to extend the 
present theoretical security proof for perfect qubit states (on 
Bob's side) to imperfect implementations lS2ll . 



Direct proof that "r < 0" is a steering inequality. — We 
obtained in Eq. (8) in the main text a bound on the secret 
key rate of our IsDI-QKD protocol. As we argued, a posi- 
tive secret key rate can be obtained only if Alice and Bob can 
demonstrate steering. That is, if they violate the inequality 
"r.h.s of Eq. (8) < 0", or more explicitly 



r,h{Qf) + h{Q2) + > q, 



(SI) 



then they can conclude that they have demonstrated steering: 
Eq. dSlb thus defines an EPR-steering inequality ISSll . 



Here we show in a different way that ( ISII ) is indeed an EPR- 
steering inequality, starting more directly from the Local Hid- 
den State model ISSll — a local model whereby the statistics 
observed by Alice and Bob can be decomposed as lS4ll 



Pi~a,,b,) = ^P(A)P(a,|A)PQ(5,|A), (S2) 



where hi = (a^, s), with — ±1 and bj ~ ±1 denoting the 
experimental outcomes corresponding to measurements Ai, 
Bj, and s denoting whether Alice gets a detection (s = 1) or 
not (s = 0); recall that in case of no detection, Alice's result 
Gi is chosen to be a pre-established bit in our IsDI-QKD pro- 
tocol and will contribute to the bit string Af'^. The subscript 
Q indicates that Bob's statistics are determined by quantum 
mechanics: Pq(5j |A) = Tr[Ejpx], where px is some quan- 
tum state (in our case, a qubit state) and {Ej} are the positive 
operators summing to unity which describe his measurements. 

The variable A fully specifies the quantum state received 
by Bob. As a consequence, Alice can have no more informa- 
tion on average about Bob's results than what one could know 
through A. In terms of conditional entropies, this implies that 



H{B,\A) > H{B,\K), 



(S3) 



where H{B,\A,) = T.~a,P{'^i)H{B,\h,) and 
H(B.,\K) = Y.\PWH{Bi\\)\k the average en- 
tropies of Bob's measurement Bi conditioned on the 
knowledge of the result of Ai and of A, respectively. 



with H{B,\h) = ^Y.b■P{b^\a^)\og^P{b^\~a^) and 
H{B.,\\) = ~T.b^PQ{h\\)\og^PQ{h\\). 

Now, Bob's statistics, conditioned on A, are by assumption 
given by a quantum state; they must therefore satisfy all quan- 
tum uncertainty relations, and in particular 



H{Bi\\)+H{B2\\)>q, 



(S4) 



whe re o quantifies how different the measurements Bi and B2 
are ISSll . Together with ( IS3l l, we obtain 



H{BMi) + H{B2\A2)>q. 



(S5) 



Denoting for Ai when Si ~ \ and ^^"^ for Ai when 
Si = 0, and assuming that P{si = 1) = rjA independently 
of Ai (as should be the case if it is a detector efficiency), we 
have 

H{B,\A{) = i^AH{Bf\Af) + {\-riA)H{Bf^\Af-). (S6) 

Now, one can easily check (using for instance the concavity 
of the binary entropy function) that for binary variables A and 
B, one has 



H{B\A) < hiQ), 



(S7) 



where Q is the bit error rate relative to A and B (the proba- 
bility that A ^ B). Applying this to ( [S6l ) for i = 1, it follows 
that 



H{B,\Ai) < 77A/i(gr) + (1 - ^a), 
while on the other hand 

HiB2\A2) < H{B2\A2) < hiQ2). 



(S8) 



(S9) 



Substituting ([S8]) and in ([S5]l we finally obtain ([ST]i, as 
desired. 

Note that for the purpose of deriving an EPR-steering in- 
equality, there is no need to follow the last steps of the 
above procedure where we treat and bound H{Bi\Ai) and 
H{B2\A2) differently. Rather we can use Eq. dSSt directly 
as an EPR-steering inequality. Under the usual conditions for 
QKD as discussed in the main text, q = 1 and Eq. ( IS8I 1 be- 
comes a tight inequality, so Eq. ( IS5b then becomes 



r,A[2^hiQr)-hiQl')]<l. 



(SIO) 



For perfect correlations (Qf' = Q2'' = 0), this will be vio- 
lated (indicating EPR-steering) provided that riA> \. This is 
the minimum possible efficiency threshold for EPR-steering 
using two settings Isill . 

Comparison with DI-QKD. — In the DI-QKD case, the 
strongest security analysis available today is that of Masanes, 
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Pironio and Acm lISTIl . who showed the security of a large 
class of protocols against coherent attacks (under the techni- 
cal assumption that the devices are memoryless). In the sim- 
plest version, the protocol they consider involves Alice and 
Bob measuring in bases that enable a CHSH inequality ISST 
to be tested, where one of Bob's bases is that which is used 
(together with a different one of Alice's bases) to yield the se- 
cret shared key. Let the CHSH polynomial have the value S 
(such that |5| < 2\/2 for quantum correlations, and |5| > 2 
indicates a violation of the CHSH inequality), and let the non- 
post-selected quantum bit error rate for measurements in the 
bases that will yield the key be Qi. Then Ref. ISTIl shows that 
the final key rate can be bounded from below by 



''MPA 



= 1 - /i(gi) - log2 [1 + V2-(^/2)2]. (Sll) 



For a visibility V and inefficiencies tja and riB,we have a raw 
shared random key with bit error rate Qi = [1 — (1 — 77/i)(l — 
?7b)-^?7a?7b]/2, and a CHSH parameter 5" = 2V2V7]aVb + 
2(1 — 77a)(1 — Vb)- The latter is obtained if Alice and Bob 
use the same predetermined list of random results whenever 
they fail to detect a photon. With V = 1 and tja = rjB 
rj, Eq. ( ISl 11 1 yields a positive key rate for rj > 94.5%. In 
the situation of prepare-and-measure (P&M), where there is a 
trusted source in Bob's lab, but his detector is still untrusted, 
we replace jys by 77^, Bob's preparation efficiency. Taking 
rjg 1, Eq. dSlll l gives a lower bound 77^ > 89.6%. 

We now show that Alice and Bob can improve their se- 
cret key rate by extracting their secret key from the data post- 
selected on coincidence detections, as we suggested here for 
the case of IsDI-QKD. Indeed, one can apply our analysis to 
that of Ref. ISTT to find a new secret key rate bounded from 
below by 



r2 = mVB[l - hiQf)] - log2 [1 + ^2 - {Sl2f\ . (S12) 

Here S is unchanged from above (it must still be estimated 
from the whole non-postselected data), while Q^^ = (1 — 
V)/2. With y = 1 and rjA = Vb = this yields a positive 
key rate for j] > 91.1%. Considering again the P&M case 
with 7]^ — > 1, we obtain the lower bound -q^ > 83.3%. These 



are the figures appearing in Table 1 in the main text. In both 
cases, but especially the P&M case, using our post-selection 
technique yields substantially better efficiency thresholds than 
the non-post-selected protocols. We note that somewhat lower 
efficiency thresholds for DI-QKD (77 > 92.3% and 77 > 
88.9% for the entanglement-based schemes, with and without 
post-selection, resp.) can be obtained using the analysis of 
Ref. iS% . However, this analysis shows security only against 
collective attacks (which includes, in particular, the assump- 
tion that the devices are memoryless). 

In the main text we presented only the post-selected ver- 
sion of IsDI-QKD. However one can also consider a non- 
post-selected version of that, in which Alice and Bob try to 
extract a secret key directly from the non-post-selected data 
Ai,Bi (rather than from A^'',Bf''; note however that we 
still post-select on a detection by Bob). In this case the 
key rate per detection by Bob is bounded from below by 
1 — h{Qi) — h{Q2) for security against coherent attacks. Here 
for a typical implementation the bit error rates are both given 
by Qi = (1 — VriA)/2, and with V = 1, we get a positive 
rate for r/A > 78.0%. Recall that when Alice and Bob use 
the post-selected data, the threshold is rjA > 65.9%, so the 
improvement is even more dramatic than in the fully DI case. 
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